College of Accountancy

IDENTIFYING AND ASSESSING RISK OF MATERIAL MISSTATEMENT

Contents:
1. Concept of Risk
2. Audit Risk Model
3. Identifying and Assessing the Risk of Material Misstatement
4. Risk Assessment Process
5. Significant Risk
6. Risks for Which Substantive Procedures Alone Do Not Provide Sufficient Appropriate
Audit Evidence
7. Revision of Risk Assessment

1. Concept of Risk
Auditing is accompanied by risk. From the reason why there is a need for audit, the
conduct of audit, up to the end of audit, risk is involved.
Risk - the possibility that something unpleasant or unwelcome will happen.
Information risk – risk that the information is misstated or misleading.
Engagement risk (auditor’s business risks) – risk such financial loss, loss from litigation,
adverse publicity, or other events arising in connection with the audit of financial statements (or
other engagement).
Business risk – A risk resulting from significant conditions, events, circumstances, actions or
inactions that could adversely affect an entity’s ability to achieve its objectives and execute its
strategies, or from the setting of inappropriate objectives and strategies.
Audit risk—Audit risk is the risk that the auditor gives an inappropriate audit opinion when the
financial statements are materially misstated. Audit risk has three components: inherent risk,
control risk and detection risk. Inherent risk and control risk are the risk of material misstatement
at the assertion level.
2. Audit Risk Model
Audit risk model is a model that expresses the general relationship of the components of
audit risk in mathematical terms to arrive at an acceptable level of detection risk. It is a tool used by
an auditor to determine the proper response to assessed risks of material misstatement at the
assertion level. It is expressed in the formula:
𝐴𝑢𝑑𝑖𝑡 𝑅𝑖𝑠𝑘 = 𝐼𝑛ℎ𝑒𝑟𝑒𝑛𝑡 𝑅𝑖𝑠𝑘 𝑥 𝐶𝑜𝑛𝑡𝑟𝑜𝑙 𝑅𝑖𝑠𝑘 𝑥 𝐷𝑒𝑡𝑒𝑐𝑡𝑖𝑜𝑛 𝑅𝑖𝑠𝑘
𝐴𝑢𝑑𝑖𝑡 𝑅𝑖𝑠𝑘
Or, 𝐷𝑒𝑡𝑒𝑐𝑡𝑖𝑜𝑛 𝑅𝑖𝑠𝑘 = 𝑅𝑂𝑀𝑀 (𝐼𝑛ℎ𝑒𝑟𝑒𝑛𝑡 𝑅𝑖𝑠𝑘 𝑥 𝐶𝑜𝑛𝑡𝑟𝑜𝑙 𝑅𝑖𝑠𝑘)

Audit risk—Audit risk is the risk that the auditor gives an inappropriate audit opinion
when the financial statements are materially misstated. Audit risk has three components: inherent
risk, control risk and detection risk.
Inherent risk—Inherent risk is the susceptibility of an account balance or class of
transactions to misstatement that could be material, individually or when aggregated with
misstatements in other balances of classes, assuming that there were no related internal controls.
Control risk—Control risk is the risk that a misstatement that could occur in an account
balance or class of transactions and that could be material, individually or when aggregated with
misstatements in other balances or classes, will not be prevented or detected and corrected on a
timely basis by the accounting and internal control systems. It is a function of the effectiveness
of the design, implementation and maintenance of internal control by management to address
identified risks that threaten the achievement of the entity’s objectives relevant to preparation of
the entity’s financial statements.

Instructor: Orlando L. Ananey Page 1 of 5

 College of Accountancy

The risks of material misstatement at the assertion level consist of two components:
inherent risk and control risk. Inherent risk and control risk are the entity’s risks; they exist
independently of the audit of the financial statements.
Detection risk—Detection risk is the risk that an auditor’s substantive procedures will
not detect a misstatement that exists in an account balance or class of transactions that could be
material, individually or when aggregated with misstatements in other balances or classes. It
relates to the nature, timing, and extent of the auditor’s procedures that are determined by the
auditor to reduce audit risk to an acceptably low level. It is therefore a function of the
effectiveness of an audit procedure and of its application by the auditor. Matters such as:
• adequate planning;
• proper assignment of personnel to the engagement team;
• the application of professional skepticism; and
• supervision and review of the audit work performed,
assist to enhance the effectiveness of an audit procedure and of its application and reduce the
possibility that an auditor might select an inappropriate audit procedure, misapply an appropriate
audit procedure, or misinterpret the audit results.
For a given level of audit risk, the acceptable level of detection risk bears an inverse
relationship to the assessed risks of material misstatement at the assertion level. For example, the
greater the risks of material misstatement the auditor believes exists, the less the detection risk
that can be accepted and, accordingly, the more persuasive the audit evidence required by the
auditor.
3. Identifying and Assessing the Risk of Material Misstatement
The auditor shall identify and assess the risks of material misstatement at:
a. The financial statement level; and
b. The assertion level for classes of transactions, account balances, and disclosures, to
provide a basis for designing and performing further audit procedures.
Assessment of Risks of Material Misstatement at the F/S Level
Risks of material misstatement at the financial statement level refer to risks that
relate pervasively to the financial statements as a whole and potentially affect many
assertions. Risks of this nature are not necessarily risks identifiable with specific
assertions at the class of transactions, account balance, or disclosure level. Rather, they
represent circumstances that may increase the risks of material misstatement at the
assertion level, for example, through management override of internal control. Financial
statement level risks may be especially relevant to the auditor’s consideration of the risks
of material misstatement arising from fraud.
Risks at the financial statement level may derive in particular from a weak control
environment (although these risks may also relate to other factors, such as declining
economic conditions). For example, weaknesses such as management’s lack of
competence may have a more pervasive effect on the financial statements and may
require an overall response by the auditor.
The auditor’s understanding of internal control may raise doubts about the
auditability of an entity’s financial statements. For example:
• Concerns about the integrity of the entity’s management may be so serious as to
cause the auditor to conclude that the risk of management misrepresentation in the
financial statements is such that an audit cannot be conducted.
• Concerns about the condition and reliability of an entity’s records may cause the
auditor to conclude that it is unlikely that sufficient appropriate audit evidence
will be available to support an unqualified opinion on the financial statements.
Assessment of Risks of Material Misstatement at the Assertion Level

Instructor: Orlando L. Ananey Page 2 of 5

 College of Accountancy

Risks of material misstatement at the assertion level for classes of transactions,

account balances, and disclosures need to be considered because such consideration
directly assists in determining the nature, timing, and extent of further audit procedures at
the assertion level necessary to obtain sufficient appropriate audit evidence. In identifying
and assessing risks of material misstatement at the assertion level, the auditor may
conclude that the identified risks relate more pervasively to the financial statements as a
whole and potentially affect many assertions.
4. Risk Assessment Process
For this purpose, the auditor shall:
1. Identify risks throughout the process of obtaining an understanding of the entity and its
environment, including relevant controls that relate to the risks, and by considering the
classes of transactions, account balances, and disclosures in the financial statements;
2. Assess the identified risks, and evaluate whether they relate more pervasively to the
financial statements as a whole and potentially affect many assertions;
3. Relate the identified risks to what can go wrong at the assertion level, taking account of
relevant controls that the auditor intends to test; and
4. Consider the likelihood of misstatement, including the possibility of multiple
misstatements, and whether the potential misstatement is of a magnitude that could result
in a material misstatement.
Information gathered by performing risk assessment procedures, including the audit
evidence obtained in evaluating the design of controls and determining whether they have been
implemented, is used as audit evidence to support the risk assessment. The risk assessment
determines the nature, timing, and extent of further audit procedures to be performed. In making
risk assessments, the auditor may identify the controls that are likely to prevent, or detect and
correct, material misstatement in specific assertions.
Generally, it is useful to obtain an understanding of controls and relate them to assertions
in the context of processes and systems in which they exist because individual control activities
often do not in themselves address a risk. Often, only multiple control activities, together with
other components of internal control, will be sufficient to address a risk.
Conversely, some control activities may have a specific effect on an individual assertion
embodied in a particular class of transactions or account balance. For example, the control
activities that an entity established to ensure that its personnel are properly counting and
recording the annual physical inventory relate directly to the existence and completeness
assertions for the inventory account balance.
Controls can be either directly or indirectly related to an assertion. The more indirect the
relationship, the less effective that control may be in preventing, or detecting and correcting,
misstatements in that assertion. For example, a sales manager’s review of a summary of sales
activity for specific stores by region ordinarily is only indirectly related to the completeness
assertion for sales revenue. Accordingly, it may be less effective in reducing risk for that
assertion than controls more directly related to that assertion, such as matching shipping
documents with billing documents.
5. Significant Risk
Significant risk – An identified and assessed risk of material misstatement that, in the
auditor’s judgment, requires special audit consideration.
As part of the risk assessment, the auditor shall determine whether any of the risks
identified are, in the auditor’s judgment, a significant risk. In exercising this judgment, the
auditor shall exclude the effects of identified controls related to the risk. In exercising judgment
as to which risks are significant risks, the auditor shall consider at least the following:
a. Whether the risk is a risk of fraud;

Instructor: Orlando L. Ananey Page 3 of 5

 College of Accountancy

b. Whether the risk is related to recent significant economic, accounting or other

developments and, therefore, requires specific attention;
c. The complexity of transactions;
d. Whether the risk involves significant transactions with related parties;
e. The degree of subjectivity in the measurement of financial information related to the risk,
especially those measurements involving a wide range of measurement uncertainty; and
f. Whether the risk involves significant transactions that are outside the normal course of
business for the entity, or that otherwise appear to be unusual.
Significant risks often relate to significant non-routine transactions or judgmental
matters. Non-routine transactions are transactions that are unusual, due to either size or nature,
and that therefore occur infrequently. Judgmental matters may include the development of
accounting estimates for which there is significant measurement uncertainty. Routine,
noncomplex transactions that are subject to systematic processing are less likely to give rise to
significant risks.
Risks of material misstatement may be greater for significant non-routine transactions
arising from matters such as the following:
• Greater management intervention to specify the accounting treatment.
• Greater manual intervention for data collection and processing.
• Complex calculations or accounting principles.
• The nature of non-routine transactions, which may make it difficult for the entity to
implement effective controls over the risks.
Risks of material misstatement may be greater for significant judgmental matters that
require the development of accounting estimates, arising from matters such as the following:
• Accounting principles for accounting estimates or revenue recognition may be subject to
differing interpretation.
• Required judgment may be subjective or complex, or require assumptions about the
effects of future events, for example, judgment about fair value.
When the auditor has determined that a significant risk exists, the auditor shall obtain an
understanding of the entity’s controls, including control activities, relevant to that risk.
Although risks relating to significant non-routine or judgmental matters are often less
likely to be subject to routine controls, management may have other responses intended to deal
with such risks. Accordingly, the auditor’s understanding of whether the entity has designed and
implemented controls for significant risks arising from non-routine or judgmental matters
includes whether and how management responds to the risks. Such responses might include:
• Control activities such as a review of assumptions by senior management or experts.
• Documented processes for estimations.
• Approval by those charged with governance.
For example, where there are one-off events such as the receipt of notice of a significant
lawsuit, consideration of the entity’s response may include such matters as whether it has been
referred to appropriate experts (such as internal or external legal counsel), whether an assessment
has been made of the potential effect, and how it is proposed that the circumstances are to be
disclosed in the financial statements.
In some cases, management may not have appropriately responded to significant risks of
material misstatement by implementing controls over these significant risks. This may indicate a
material weakness in the entity’s internal control.
6. Risks for Which Substantive Procedures Alone Do Not Provide Sufficient Appropriate
Audit Evidence
In respect of some risks, the auditor may judge that it is not possible or practicable to
obtain sufficient appropriate audit evidence only from substantive procedures. Such risks may
relate to the inaccurate or incomplete recording of routine and significant classes of transactions

Instructor: Orlando L. Ananey Page 4 of 5

 College of Accountancy

or account balances, the characteristics of which often permit highly automated processing with
little or no manual intervention. In such cases, the entity’s controls over such risks are relevant to
the audit and the auditor shall obtain an understanding of them.
Risks of material misstatement may relate directly to the recording of routine classes of
transactions or account balances, and the preparation of reliable financial statements. Such risks
may include risks of inaccurate or incomplete processing for routine and significant classes of
transactions such as an entity’s revenue, purchases, and cash receipts or cash payments.
Where such routine business transactions are subject to highly automated processing with
little or no manual intervention, it may not be possible to perform only substantive procedures in
relation to the risk. For example, the auditor may consider this to be the case in circumstances
where a significant amount of an entity’s information is initiated, recorded, processed, or
reported only in electronic form such as in an integrated system. In such cases:
• Audit evidence may be available only in electronic form, and its sufficiency and
appropriateness usually depend on the effectiveness of controls over its accuracy and
completeness.
• The potential for improper initiation or alteration of information to occur and not be
detected may be greater if appropriate controls are not operating effectively.
7. Revision of Risk Assessment
The auditor’s assessment of the risks of material misstatement at the assertion level may
change during the course of the audit as additional audit evidence is obtained. In circumstances
where the auditor obtains audit evidence from performing further audit procedures, or if new
information is obtained, either of which is inconsistent with the audit evidence on which the
auditor originally based the assessment, the auditor shall revise the assessment and modify the
further planned audit procedures accordingly.
During the audit, information may come to the auditor’s attention that differs
significantly from the information on which the risk assessment was based. For example, the risk
assessment may be based on an expectation that certain controls are operating effectively. In
performing tests of those controls, the auditor may obtain audit evidence that they were not
operating effectively at relevant times during the audit. Similarly, in performing substantive
procedures the auditor may detect misstatements in amounts or frequency greater than is
consistent with the auditor’s risk assessments. In such circumstances, the risk assessment may
not appropriately reflect the true circumstances of the entity and the further planned audit
procedures may not be effective in detecting material misstatements.

Instructor: Orlando L. Ananey Page 5 of 5